In one of the first published decisions regarding responsibility
for wire transfer losses arising from phishing, a federal
district court in Michigan ruled in favor of a company against
Comerica Bank after the company’s controller divulged account
access information in response to an email message. Wire
transfers are subject to the Uniform Commercial Code, and
Michigan’s version of the Code is similar to California’s. The
central question before the court was whether the bank acted in
good faith in carrying out the disputed payment orders. The
applicable section of the UCC in California is Commercial Code
Section 11202(b):

If a bank and its customer have agreed that the authenticity of
payment orders issued to the bank in the name of the customer as
sender will be verified pursuant to a security procedure, a
payment order received by the receiving bank is effective as the
order of the customer, whether or not authorized, if (i) the
security procedure is a commercially reasonable method of
providing security against unauthorized payment orders, and (ii)
the bank proves that it accepted the payment order in good faith
and in compliance with the security procedure and any written
agreement or instruction of the customer restricting acceptance
of payment orders issued in the name of the customer.

Good faith is defined as “honesty in fact and the observance of
reasonable commercial standards of fair dealing.” Commercial Code
Section 1201(b)(20). The definition consists of two parts: the
subjective “honesty in fact” standard which pertains to a
person’s intent, and the more objective standard that considers
what other banks do in similar circumstances as necessary to help
ensure fairness.

The Facts

On the morning of January 21, 2009 Comerica Bank became aware
that phishing emails had been sent to its customers by third
parties trying to lure them to divulge sensitive account
information. The next day, at 6:48 a.m. the controller at
Experi-Metal Inc., a Comerica customer, received and responded to
one of these email messages believing it to have been sent by
Comerica. He replied to the message and included all of the
information necessary for the criminal to initiate wire transfer
payment orders. Between 7:30 a.m. and 2:02 p.m. that day,
ninety-three fraudulent payment orders totaling $1,901,269.00
were executed using the controller’s user information. The
majority of the orders were directed to accounts at banks in
Russia and Estonia. To facilitate the fraud from the customer’s
sweep account, one of the accounts from which wire transfers were
authorized to originate, the criminal transferred funds from
Experi-Metal’s other accounts to the sweep account. Some of the
wired funds created overdrafts, which the bank covered.

At approximately 11:30 a.m., an investigation analyst at the bank
was alerted by telephone from its correspondent JPMorgan Chase
regarding six suspicious wire transfers. Staff at Comerica
immediately investigated and then contacted the president of
Experi-Metal and confirmed that the company had authorized no
payment orders that day. The bank then proceeded to attempt to
recall all of the processed wires and stop future activity. Its
efforts were only partially effective as some orders initiated
after the bank disabled Experi-Metal’s user identifications still
went through because this measure did not preclude a user already
logged onto the system from continuing to initiate transfers.
Eventually, Comerica recovered all but $561,399 of the fraudulent
transfers. A few months later Experi-Metal filed an action
against Comerica seeking to hold it liable for the unrecovered
amount.

The Decision

The court first determined that Comerica and the customer,
Experi-Metal, had agreed that the authenticity of payment orders
would be verified pursuant to a security procedure, and that the
bank’s security procedure was commercially reasonable. (The bank
had adopted an authentication procedure using secure token
technology). It also determined that the controller was
authorized to initiate transfers for the company. The court then
turned to the question of good faith.

As is the rule in California the bank in this case bore the
burden of demonstrating that it acted in good faith in allowing
the transfers (see quoted rule above). The court found no
evidence of dishonesty by the bank’s staff; they had no knowledge
that the orders were fraudulent, and they reacted reasonably
promptly once they became aware of the scam. Still the court held
that the bank could not prove that it acted in good faith because
the bank failed to demonstrate that it observed reasonable
commercial standards of fair dealing.

In effect, this analysis erects a second threshold on the
question of commercial reasonableness. After all, the court had
already determined that the bank and the customer had agreed to
use security procedures and that the procedures were commercially
reasonable. The court explained that the objective prong of the
good faith test requires that the bank’s actions were also fair
to its customer. The bank’s key deficiency, according to the
court, was its failure to articulate what those standards were
with respect specifically to responding to a phishing incident.

Experi-Metal had offered expert testimony suggesting that the
bank’s fraud monitoring procedures fell short of industry
standards because it did not use fraud scoring and fraud
screening monitoring programs. With such a program the bank could
have recognized that the amount, frequency, and destination of
the fraudulent orders were entirely inconsistent with
Experi-Metal’s previous wire activity. However, the court decided
not to accept the company’s expert testimony because the witness
did not convincingly state the extent that other banks deployed
such tools. Nevertheless, as discussed below, the court
ultimately held the bank responsible for failing to perform the
kind of real-time analysis that could only be done by employing
such analytical tools.

Comerica Bank also offered an expert witness who testified that
its staff reacted within a reasonable time after being alerted of
the unauthorized transfers by JPMorgan Chase. But the court
questioned the witness’s qualification to address phishing
incidents specifically. What appeared to trouble the court the
most was that, while the bank enforced its own security
procedures as to authenticating a user, contacting the customer,
de-authorizing access, etc., the bank nevertheless carried out
the highly out-of-range orders (for this customer) without
engaging in any heightened scrutiny. For example, the bank
allowed overdrafts totaling $5 million from a single account that
usually had a zero balance, and the ten unauthorized transactions
that caused overdrafts were entered consecutively within minutes
of each other during a single online session. The company’s prior
overdraft activity had been minimal. Moreover, the bank had
become aware just the day before that its customers had been the
target of phishing messages and the transfers were directed to
suspicious destinations.

The court’s sentiment was summed up in the concluding section of
its opinion: “This trier of fact [the judge] is inclined to find
that a bank dealing fairly with its customer, under these
circumstances, would have detected and/or stopped the fraudulent
wire activity earlier.” In practice, it would be very difficult
for a bank to conduct this level of analysis (comparing current
transactions with historical transactions) in real time without
employing the kind of monitoring software that the plaintiff’s
expert suggested was the industry standard, and which the court
putatively rejected. The lesson from this case is that banks
should enhance their monitoring activities in order to avoid
taking losses for fraudulent wire transfers.

Absent from the court’s analysis is a discussion of how the
company controller’s falling for a phishing expedition should
affect the allocation of loss. If the case had been decided under
principles of negligence and the controller’s actions were deemed
to fall below the applicable standard of care, then principles of
contributory negligence would reduce the bank’s liability. But
the UCC is intended to be construed as an almost exclusive body
of authority as to matters that it clearly addresses.

In the seminal California case that also, incidentally, involved
Comerica Bank (Zengen v. Comerica Bank), the California Supreme
Court rejected negligence claims against the bank for allowing
unauthorized wire transfers initiated by a customer’s dishonest
employee. The court ruled that the matter at issue must be
decided in accordance with the UCC only because the matter
(whether the customer had timely notified the bank of the
unauthorized transfer) fell squarely within Section 11204 of the
Commercial Code. Generally, strict adherence to the UCC favors
banks by excluding such actions as contract, negligence, and
common law claims, and by providing a road map for compliance.
This case suggests that Commercial Code Section 11202(b) places a
significant and specific burden on banks first to state what the
standards are and prove that it conformed to those standards.

The information contained in this CBA Regulatory Compliance
Bulletin is not intended to constitute, and should not be
received as, legal advice. Please consult with your counsel for
more detailed information applicable to your institution.